diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 2328a24..3d9e512 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,3 +1,8 @@
+<!-- PR TITLE: use Conventional Commits format — the commit-lint CI check enforces this.
+     type(scope): Description    →    feat(docker): Add versioned Node stage
+     Valid types: feat · fix · docs · chore · ci · refactor · test · perf · revert
+     Breaking change: add ! after type  →  feat!: Switch to pre-built images -->
+
 ## Summary
 
 <!-- What does this PR do? Why? -->
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 7cc27a2..18802c3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,6 +12,9 @@ updates:
     labels:
       - "dependencies"
       - "docker"
+    commit-message:
+      prefix: "chore"
+      include: "scope"   # → chore(deps): bump trivy from 0.69.2 to 0.69.3
 
   # app_tests Dockerfile — same as above, plus golang and securego/gosec.
   - package-ecosystem: "docker"
@@ -21,6 +24,9 @@ updates:
     labels:
       - "dependencies"
       - "docker"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
 
   # GitHub Actions — tracks all uses: ... action versions.
   - package-ecosystem: "github-actions"
@@ -30,3 +36,6 @@ updates:
     labels:
       - "dependencies"
       - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"   # → ci(deps): bump actions/checkout from v3 to v4